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Man-in-the-middle (MitM) attacks became one of the most risk attacks on 
OpenFlow communication channel in software-defined networking, its 
detection is a very hard task due there is no authentication in OpenFlow 
protocol. This channel is the most important in the network and is responsible 
for sending the control commands from the controller to the switches, so once 
the OpenFlow channel is hacked, the entire network is controlled by the 
attacker. Therefore, we propose a complementary solution to transport layer 
security protocol to detect man-in-the-middle attacks based on hybrid 
quantum-classical protocol. Based on the hybrid protocol, an easy-to- 
implement authentication between controller and switches depends on 
quantum and classical security layers. Also, detect eavesdropping on channel 
depending on quantum parameters. In this paper, we implement a simulation 
of hybrid protocol using a software-defined networking emulator for 
monitoring the OpenFlow channel to detect attacks, and the results showed 


the ease of detecting the eavesdrop and verifying the authentication of the 
other party with a hybrid method to get a high level of authentication. 
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1. INTRODUCTION 

Over the last decade, researchers have focused on transforming networks into a more open, 
programmable, reliable, secure, and manageable infrastructure. Software-defined networks (SDNs) are the 
main result of this effort and the basic concept is to separate network control from a data plane. So led need to 
the communication channel between these two planes to send commands, requests, and statistics. this channel 
is called OpenFlow [1], [2]. The basic role of the OpenFlow protocol is to define the communication protocol 
that manages the interaction between the SDN controller and the network forwarding devices like switches and 
routers, so it becomes easier to change the configuration according to the business requirements. So, protecting 
this channel is important to protect the entire network [3]—[5]. The man-in-the-middle (MitM) attack is one of 
the most dangerous attacks on SDN, where the attacker becomes a malicious third party in the communication 
process of the victims without their knowledge. MitM attackers can copy, modify and replace victims’ traffic, 
causing significant damage to victims and posing a real risk on communication channel [6]-[8]. 

The MitM attack has different types, but the kind that threat of OpenFlow protocol security is its 
attempt to access the encryption key because once get the key to encrypt the communication channel between 
the controller and the switch. Then, it is very easy for the attacker to modify the OpenFlow messages such as 
changing the flows by modifying the switch forwarding table and gathering information. 
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There are many traditional methods used to provide authentication between two parties to avoid 
attacks that are efficient on a certain level of classic attacks. In the process of protecting the OpenFlow 
communication channel which used the traditional ways of detecting down the MitM attack such as using 
authentication in transport layer security (TLS) protocol [9], [10] but have many weaknesses [11]. So, many 
researches are focused on the security protocols to protect against MitM attacks. Nisar et al. [12] proposed the 
use of the TLS protocol to protect the OpenFlow communication channel against the MitM attack but in 2017 
both Agborubere and Sanchez-Velazquez [11] proved that the TLS protocol has contained security holes of 
such attacks, so they proposed adding messages between the two parties to verify authentication to protect 
against MitM attacks. While in 2018, Zhang and Qiu [13] proposed a proactive detection mechanism CMD to 
detect MitM attacks in SDN based on connection characteristics of network traffic, without the analysis of 
packet contents. On other hand, Hugues-Salas ert al. [14] proposed using the parameters of quantum key 
distribution protocols to detect the attacks of DDoS and MitM. This provides a high level of authentication and 
detection of eavesdropping based on the physical properties of quantum mechanics. The first quantum key 
distribution protocol was proposed in 1984 by Bennet and Brassard, it was later called BB84 [15]. It utilized 
the uncertainty concept and no-cloning theorem [16] to guarantee that the transmission of the key has not been 
eavesdropped on or changed, so considered an important cryptography method aimed to solve several network 
security problems [17]-[19]. This protocol uses two bases rectilinear and diagonal to prepare photon states. In 
this paper, we propose a system to detect MitM attacks based on a hybrid quantum-classical protocol to achieve 
authentication between two endpoints. On the other hand, monitoring the parameters of quantum key 
distribution (QKD) protocol to predict any attempt to eavesdrop to secure the communication channel. In our 
proposal, the hybrid protocol was implemented to achieve adequate security for the communication channel 
between the controller and switches in software-defined networks so the proposed protocol could be considered 
as complementary to TLS security protocol to achieve adequate security for OpenFlow messages. 

This paper is organized as section 2 explains quantum key distribution and BB84 protocol while in 
section 3 we present the hybrid quantum-classical protocol. In section 4, we show the proposed model to detect 
and prevent MitM attacks in software-defined networking. In section 5 presents the main results and simulation 
and section 6 shows the security analysis and finally in section 7 provides the concluding remarks. 


2. QUANTUM KEY DISTRIBUTION PROTOCOL 

The progress in quantum physics has led to thinking of new ways to ensure security in communication. 
Designers of encryption systems had to think about a new encryption system and solve distribute the key 
securely in symmetric encryption systems. In the distribution of the quantum key, a single or entangled 
quantum is transferred between two parties [20]. Each of the parties has two channels: the quantum channel 
for the exchange of quantum and the classic public channel to check for eavesdropping. If a third party makes 
measurements of the transferred quantum, both of party will discover an eavesdropper presence on the public 
media. Depending on the rules of the mechanics of quantum, the measurement performed by the eavesdropper 
will modify the quantum state [20], and also cannot clone an arbitrary quantum state. In 1984, Charles H. 
Bennet” and “Gilles Brassard” proposed the first QKD protocol, and therefore called “BB84” [15]. The BB84 
protocol uses quantum and classical channels. Uses a quantum channel such as optical fiber to send pulses of 
polarized light, where each pulse contains one photon. And a classical public channel, such as a telephone line 
or internet connection for an established authentication between the parties. In general, the main idea of the 
security of QKD protocols and BB84 protocol depends on the exploitation of the no-cloning theorem and the 
superposition principle [16], [21]-[23]. 


3. HYBRID QUANTUM-CLASSICAL PROTOCOL 

The hybrid protocol was proposed to be complementary to the TLS protocol and thus aims to achieve 
full security for OpenFlow messages. In the hybrid protocol [24], [25], the classic Diffie-Hellman protocol was 
integrated with the QKD-BB84 protocol to achieve two levels of authentication. The first is through the 
physical properties of quantum bits and the second level is achieved by the classical authentication channel. 
To explain the protocol more clearly, the protocol function will be presented in two stages The first stage uses 
a quantum channel: the polarized photons are prepared based on random bases and random bits. The polarized 
photons are transmitted through a quantum channel to the other side. These photons, based on the theory of 
non-cloning, any attempt to eavesdrop on the state of the photon is detected by both parties. While, in the 
second stage, the process of authentication between the parties through a classic channel is performed. Where 
the random bases and the parameters of Diffie-Hellman and time-stamp are sent with hashing code to achieve 
authentication, then both parties calculate their keys by combining the classic and quantum key using XOR 
operation as shown in Figure 1. 
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Figure 1. Hybrid quantum-classical protocol 


4. PROPOSED WORK 

In this work, we focus on how to detect MitM attacks in less time and more accurately. Also, we do a 
simple procedure to prevent the risk of attack on the network by closing the connection and port. So we suggest 
a hybrid protocol to achieve authentication and detect MitM attacks on the OpenFlow channel depending on 
quantum parameters such as quantum bit error rate (QBER) and secret key rate (SKR). Achieving 
authentication will be based on the rules of quantum mechanics and the hash code of the traditional method. 
The proposed action aims to detect MitM attack begins with the operation of hybrid protocol and agreement 
on threshold max-error between switch and controller, this threshold determined based on channel noise 
without an attack. 

On the other hand, basic parameters are exchanged for measuring photons and calculating the key. 
The controller then checks the authentication code sent over the classic channel to make sure that the switch is 
intended for it, then calculates the error rate of the generated key and compares it with an agreed threshold. If 
the error rate is greater than the minimum, this indicates that the MitM attacker has modified the status of the 
transfer photon. Depending on the characteristics of the quantum mechanics [11], the parties will know that a 
third party has modified the status of the photon transmitted through their communication channel. Algorithm 
1 explains the overall process of authentication and detection of MitM attacks by the controller as shown in 
Figure 2, while Algorithm 2 explains the authentication achievements between the controller and the switch. 
When the controller detects a MitM attack on the OpenFlow channel, this will perform a precaution like closing 
the connection and deleting the port. The algorithm code is shown in Figure 3. 


Algorithm 1: 
Detect MitM attack from the controller side 


Input: Initial Photons, Threshold 
Output: Detect attack 
Begin: 
1, Generate Random Bits & Random Bases 
2. Prepare Quantum States 
3. Send Quantum States as Photons via Quantum 
channel 
Receive BB84-Bases from Switch 
Calculate QBER 
Check QBER with Threshold 
If (QBER > Threshold) 
e¢ — Close communication channel 
e Delete income port 
Else 


¢ Response to Request over encrypted 


Figure 2. Authentication process code of MitM attacks 
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Algorithm 2: 
Achieve authentication between controller and switch 


Input: Initial Photons, Threshold, Private-key 
Output: Achieve authentication 
Begin: 
. Generate Random Bits & Random Bases & public key 
Prepare Quantum States 
Send Quantum States as Photons via Quantum 
channel 
Receive BB84-Bases & public key with SHA-256 
Hash code from Switch 
Check Hash code 
If (Hash code is valid?) 
e Calculate QBER 
e Check QBER with Threshold 
If (QBER > Threshold) 
e¢ Close communication channel 
Delete income port 


Response to Request over encrypted 
channel 
Else 


e = Close communichtion channel 
« Delete income port 


Figure 3. Authentication achievements code of MitM attacks 


5. SIMULATION RESULTS 

To prove the efficiency of the proposed work, we implement this work on a software-defined network 
(SDN) with and without the existence of MitM attack and then monitor the results of QBER. The simulation 
of the SDN environment has been developed by using a mininet emulator with ryu controller and python 
programming language. So in the first, hybrid protocol was operated between the switch and the controller 
without an attack for more than one time and with different entries for the number of initial photons to 
determine the limit of the threshold to be used later: 


QBER = __Nwrong (1) 


NwrongtNright 


where (N wrong) is the number of photons that are not detected, and (N right) is the number of photons that 
are right detected. Table 1 shows the length of the final key and QBER. Also, we are calculating QBER 
depending on (1) [20]. 

Based on the above results, the threshold limit is set to 49%. After this, the hybrid protocol was run 
again between the switch and the controller in the presence of the MitM attack more than once and with 
different entries for the initial number of photons. The results show that the QBER is more than the minimum, 
meaning that the attacker has modified the status of the photons as shown in Table 2. 


Table 1. The final key length and QBER in case of MitM attack 
No. Try Initial Qbits=256 Initial Qbits=5 12 Initial Qbits=1024 —_ Initial Qbits=2048 
Len. Key QBER Len. Key QBER _ Len.Key QBER_ Len. Key QBER 


Try 1 132 48% 252 50% 523 48% 981 52% 
Try 2 136 46% 245 52% 502 50% 1,005 50% 
Try 3 126 50% 259 49% 514 49% 1,070 47% 
Try 4 128 50% 271 47% 553 45% 1,028 49% 
Try 5 134 47% 246 51% 530 48% 1,013 50% 
Mean 131 48% 254 49% 524 48% 1,019 49% 


Table 2. The final key length and QBER with the presence of MitM attack 
No. Try _ Initial Qbits=256 Initial Qbits=512 Initial Qbits=1024 —_ Initial Qbits=2048 
Len. Key QBER Len. Key QBER _ Len.Key QBER_ Len.Key  QBER 


Try | 63 75% 125 75% 253 75% 511 75% 
Try 2 58 771% 126 75% 254 75% 492 75% 
Try 3 69 73% 122 16% 234 771% 523 74% 
Try 4 60 16% 133 74% 270 73% 508 74% 
Try 5 68 73% 142 12% 279 72% 527 74% 
Mean 63 74% 129 74% 258 74% 512 74% 
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The difference of QBER in the case with and without absence MitM attacker has been displayed in 
Figure 4. Obtained results show that the QBER is more than the threshold, so the attacker can be detected 
simply. Figure 5 shows the running of MitM attack on mininet emulator to measure the sending keys as a 
quantum again to switch. Figure 6 shows the quantum IDs sent between controller and switch using the 
Wireshark tool. 


QBER-SSP without MitM 


= @ @ QBER-SSP with MitM 


128 256 512 1024 2048 
Initial Qbits 


Figure 4. QBER comparison 
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Figure 5. MitM attacker 
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Figure 6. The communication between controller and switch 
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6. SECURITY ANALYSES 

We are offering some analysis of the hybrid protocol as in: i) QKD-BB84 is controlled by SDN- 
controller in the result, only the legitimate switches can get quantum key which permits only these switches to 
connect to the controller, ii) in the proposed protocol the classical channel achieved authentication by using 
the SHA-256 hash function as well as the freshness of hash code by adding a timestamp, and iii) based on 
quantum properties that are protected from eavesdroppers, all this can bring authentication between controller 
and switches. 

So, a MitM attack on the OpenFlow channel can be detected and mitigated through these measures. 
Mitigating the risk of a MitM attack on the OpenFlow channel requires a combination of preventive and 
detective measures. Implementing security best practices, such as using strong authentication mechanisms as 
in our proposed idea, regularly updating software and firmware, and using encryption, can help prevent MitM 
attacks. 


7. CONCLUSION 

A result of the rapid development and trend towards more manageable and programming networks, 
this led to the emergence of software-defined networks. On the other hand, the problem of MitM attack on the 
OpenFlow channel that connects the controller to the data plane threatens the entire network security. 
Therefore, we suggest a way to detect MitM attacks by relying on the quantum-classical protocol. This method 
can detect the attack in real-time and with high accuracy and authentication because we rely on QKD 
parameters and properties of quantum mechanics to detect this type of attack, as well as classical ways to 
achieve authentication. This work was performed on the mininet emulator by using the Python programming 
language. Obtained results show the difference in QBER rate in the case of the presence and absence of MitM 
attacker. So it is easy to detect the attacker and take the necessary action by the SDN-controller. 
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